BOFH: This laptop has ceased to be. And it's pub o'clock soon
Quantum security is no joke, y'know
You know what it's like. The Boss asks you some technical question, you give him a non-technical answer and he suddenly thinks you're lying to him – or worse – that you don't know what you're talking about.
He needs it explained to him in a manner that sounds technical, but isn't too technical for him to stack overflow. ON A FRIDAY AFTERNOON.
Today it's our website.
"So how secure is it?" he asks pointedly
"A WordPress site?" I ask "Configured with every plugin under the sun? Loosely 'administered' by the PR team? Hosted on a cloud server in who-knows-where, chosen with the same care and attention you'd use in picking a toilet to use after seven pints and a bad curry and a half hour tube ride which only gets you half-way home."
"So it's not secure?"
"Never updated, never vetted, protected by what's probably a one-bit self signed SSL key?"
"So it IS secure?" he asks
"With content that was just sucked out of our old web server and sports massaged into the new server by someone who left their A-Z of IT night course just before C, when Butchery came up?"
"So it's not secure?"
"Nah, it's safe as houses," I say.
The Boss has his sarcasm-proof hearing aids in so I'll have to spell it out plainly.
"It's insecure," I say.
"How insecure are we talking?"
"It is so insecure that the hosting company remirrors it every hour."
"So... it takes an hour to be compromised?" he asks, using a word he must have recently heard at an IT Manager's round table somewhere.
"No, it takes about 30 seconds to compromise, but on average it takes about an hour for the robots to find it." I reply.
"Well what are the vulnerabilities?" he asks – again with the technical words. (It's possible he's had a stack upgrade somewhere along the line)
"I could tell you – but the quantum rule of insecurity applies."
"The quantum rule of insecurity – which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service. Have you not heard of Schrödinger's Laptop?"
"There's a laptop, in a box, with a bomb. The bomb is actually timed to explode at some unknown time in the future – BUT if you lift the lid there's a switch connected to the lid which will make the bomb go off immediately. So the question is, is the laptop working or not?
"Is it powered on? Is it open?" the Boss asks, like a helpdesk savant.
"You're missing the point – the point is that you might not KNOW if the laptop was working or not, but as soon as you open the lid it will DEFINITELY not be working.
"So... you're saying that... the laptop might have... different... states... than just working or not working."
"Who cares, it's not my laptop," I reply. "And it's not my webserver either. We told them to get a reputable hosting company if they put it on the cloud and they just clicked on the first thing that came up in their Google search."
"I see. So back to this laptop –" the Boss says, breaking out a small sweat as the CPU cranks up "– are you saying that it could be considered to be alive, dead, neither … or both?"
"Oh it's dead." I say. "It's got Windows 8 on it."
"But you don't KNOW it's dead. And anyway, my home laptop has Windows 8 on it – nothing wrong with it!"
"Knowing isn't the point – But we all know 8's a machine killer. "
"But the only way you could be 100 per cent sure is by opening the lid!" he says
"IT'S RUNNING WINDOWS 8!" I say "Of course it's dead. Anyway, I wouldn't open the box, I'd just tell security that someone left them a vintage slab of Tennents Extra for helping them to push start their car."
"But what if they haven't help push start a car?"
"Trust me, the only thing OUR security would push start is the ciggy lighter in their car or the call button at a drive-thru deep fry house. And besides, the words 'Tennents Extra' ring in their ears so loudly the tinnitus will block the rest of the sentence out."
"So you'd maim a security guard just to prove a point?"
"It's one of OUR security guards! They gain a stone a year, have a three figure BMI and an average life expectancy of 27! I'd be doing them a favour!"
"So how do we make our website secure – as it sounds like we don't host it?"
"You're right we don't. But there are some simple steps we generally take to secure a rogue service hosted in the cloud."
"Yes?" "Well first we find the ACTUAL cloud site that is hosting the service – in this case a web site."
"...and get a consultant in to patch it and run penetration testing?" the Boss says, with more technical words than he knows what to do with.
"No. Generally we get a work van, a brick, and three or four large drums of petrol with the filler caps removed..."
The Boss finally realises the futility of trying to engage me in technical conversation in pub-countdown time and wanders off to his office.
The PFY is just about to say something to me when there's a medium >crump< sound from outside the office.
"Schrödinger's Laptop?" he asks.
"It's an ex Laptop."
"It has ceased to be," the PFY nods.
Sponsored: Becoming a Pragmatic Security Leader